HI All,

I need to allow traceroute traffic through ASA running version 8.0.2.
This traffic is natted.
what configuration is required on ASA to allow this natted traceroute traffic.
Traffic is coming from inside and going outside.
Also can we capture this traceroute traffic on asa using capture feature.

Thanx
harry

Traceroute protocols will depend on the application making the request. Windows sends ICMP ECHOs with low TTLs, and it expects ICMP Time Exceeded messages coming back, followed by an ICMP echo reply from the final destination.

Nix clients, including OSX, routers and the like will send UDP packets with a ephemeral source and destination port. They would expect ICMP Time Exceeded messages followed by an ICMP Port Unreachable message from the final destination.

_________________
www.mellowd.co.uk/ccie/

Thanks for your instant reply.

so this way for windows machines,

I need to allow icmp echo reqest (8) traffic on inside interface of asa and icmp time exceed (11) and icmp echo reply (0) on outside interface.

Is this the only configuration required to allow tracert traffic for windows machines?

what capture i need to draft for capturing this traffic on asa?

Thanx.

No idea about the ASA unfortunately as I don't use them.

But yes your ports are correct. I would of course test to make sure.

It's generally not a good idea to block most of the ICMP messages anyway as it can break a number of things like mtu path discovery and the like.

_________________
www.mellowd.co.uk/ccie/

Capturing packets on the ASA:
http://www.cisco.com/en/US/products/ps6 ... edd6.shtml

Ha. never knew that, always thought all traceroutes use low TTL.

It'll still use low TTL's so it gets TIME Exceeded for each L3 device on the way. But yes they use UDP packets instead of ICMP ECHOs

_________________
www.mellowd.co.uk/ccie/

I made capture for capturing tracert data on asa. for this I made test acls for both in & out cap for both the interfaces. these acl's allow both ip & icmp traffic from any to any.

After applying these captures on the asa interfaces I ran tracert command on window machine n checked for output wth show capture name. buth i have not received any out put.

when i ran ping command for same Ip I got output of echo request and echo reply.

Now I am not clear where i was wrong.
so what shoud be capture config for tracert data to get output.

Thankx

HI,

please help me in creating right capture for capturing traceroute traffic of windows macnine on asa.

Thanx

access-list inside_test permit icmp any any
capture capin access-list inside_test interface inside

do your testing

show capture capin
to see traffic results

to remove

no capture capin
no access-list inside_test

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

enter
conf t
fixup protocol icmp

"fixup" is deprecated PIX code. The ASA uses inspection policies:



You would still need to allow the ICMP traffic on your ACL's.